Struct rustls::server::ClientCertVerifierBuilder
source · pub struct ClientCertVerifierBuilder { /* private fields */ }
Expand description
A builder for configuring a webpki
client certificate verifier.
For more information, see the WebPkiClientVerifier
documentation.
Implementations§
source§impl ClientCertVerifierBuilder
impl ClientCertVerifierBuilder
sourcepub fn clear_root_hint_subjects(self) -> Self
pub fn clear_root_hint_subjects(self) -> Self
Clear the list of trust anchor hint subjects.
By default, the client cert verifier will use the subjects provided by the root cert store configured for client authentication. Calling this function will remove these hint subjects, indicating the client should make a free choice of which certificate to send.
See ClientCertVerifier::root_hint_subjects
for more information on
circumstances where you may want to clear the default hint subjects.
sourcepub fn add_root_hint_subjects(
self,
subjects: impl IntoIterator<Item = DistinguishedName>,
) -> Self
pub fn add_root_hint_subjects( self, subjects: impl IntoIterator<Item = DistinguishedName>, ) -> Self
Add additional DistinguishedName
s to the list of trust anchor hint subjects.
By default, the client cert verifier will use the subjects provided by the root cert
store configured for client authentication. Calling this function will add to these
existing hint subjects. Calling this function with empty subjects
will have no
effect.
See ClientCertVerifier::root_hint_subjects
for more information on
circumstances where you may want to override the default hint subjects.
sourcepub fn with_crls(
self,
crls: impl IntoIterator<Item = CertificateRevocationListDer<'static>>,
) -> Self
pub fn with_crls( self, crls: impl IntoIterator<Item = CertificateRevocationListDer<'static>>, ) -> Self
Verify the revocation state of presented client certificates against the provided
certificate revocation lists (CRLs). Calling with_crls
multiple times appends the
given CRLs to the existing collection.
By default all certificates in the verified chain built from the presented client
certificate to a trust anchor will have their revocation status checked. Calling
only_check_end_entity_revocation
will
change this behavior to only check the end entity client certificate.
By default if a certificate’s revocation status can not be determined using the
configured CRLs, it will be treated as an error. Calling
allow_unknown_revocation_status
will change
this behavior to allow unknown revocation status.
sourcepub fn only_check_end_entity_revocation(self) -> Self
pub fn only_check_end_entity_revocation(self) -> Self
Only check the end entity certificate revocation status when using CRLs.
If CRLs are provided using with_crls
only check the end entity
certificate’s revocation status. Overrides the default behavior of checking revocation
status for each certificate in the verified chain built to a trust anchor
(excluding the trust anchor itself).
If no CRLs are provided then this setting has no effect. Neither the end entity certificate or any intermediates will have revocation status checked.
sourcepub fn allow_unauthenticated(self) -> Self
pub fn allow_unauthenticated(self) -> Self
Allow unauthenticated clients to connect.
Clients that offer a client certificate issued by a trusted root, and clients that offer no client certificate will be allowed to connect.
sourcepub fn allow_unknown_revocation_status(self) -> Self
pub fn allow_unknown_revocation_status(self) -> Self
Allow unknown certificate revocation status when using CRLs.
If CRLs are provided with with_crls
and it isn’t possible to
determine the revocation status of a certificate, do not treat it as an error condition.
Overrides the default behavior where unknown revocation status is considered an error.
If no CRLs are provided then this setting has no effect as revocation status checks are not performed.
sourcepub fn enforce_revocation_expiration(self) -> Self
pub fn enforce_revocation_expiration(self) -> Self
Enforce the CRL nextUpdate field (i.e. expiration)
If CRLs are provided with with_crls
and the verification time is
beyond the time in the CRL nextUpdate field, it is expired and treated as an error condition.
Overrides the default behavior where expired CRLs are not treated as an error condition.
If no CRLs are provided then this setting has no effect as revocation status checks are not performed.
sourcepub fn build(self) -> Result<Arc<dyn ClientCertVerifier>, VerifierBuilderError>
pub fn build(self) -> Result<Arc<dyn ClientCertVerifier>, VerifierBuilderError>
Build a client certificate verifier. The built verifier will be used for the server to offer client certificate authentication, to control how offered client certificates are validated, and to determine what to do with anonymous clients that do not respond to the client certificate authentication offer with a client certificate.
If with_signature_verification_algorithms
was not called on the builder, a default set of
signature verification algorithms is used, controlled by the selected CryptoProvider
.
Once built, the provided Arc<dyn ClientCertVerifier>
can be used with a Rustls
ServerConfig
to configure client certificate validation using
with_client_cert_verifier
.
§Errors
This function will return a VerifierBuilderError
if:
- No trust anchors have been provided.
- DER encoded CRLs have been provided that can not be parsed successfully.
Trait Implementations§
source§impl Clone for ClientCertVerifierBuilder
impl Clone for ClientCertVerifierBuilder
source§fn clone(&self) -> ClientCertVerifierBuilder
fn clone(&self) -> ClientCertVerifierBuilder
1.0.0 · source§fn clone_from(&mut self, source: &Self)
fn clone_from(&mut self, source: &Self)
source
. Read moreAuto Trait Implementations§
impl Freeze for ClientCertVerifierBuilder
impl !RefUnwindSafe for ClientCertVerifierBuilder
impl Send for ClientCertVerifierBuilder
impl Sync for ClientCertVerifierBuilder
impl Unpin for ClientCertVerifierBuilder
impl !UnwindSafe for ClientCertVerifierBuilder
Blanket Implementations§
source§impl<T> BorrowMut<T> for Twhere
T: ?Sized,
impl<T> BorrowMut<T> for Twhere
T: ?Sized,
source§fn borrow_mut(&mut self) -> &mut T
fn borrow_mut(&mut self) -> &mut T
source§impl<T> CloneToUninit for Twhere
T: Clone,
impl<T> CloneToUninit for Twhere
T: Clone,
source§default unsafe fn clone_to_uninit(&self, dst: *mut T)
default unsafe fn clone_to_uninit(&self, dst: *mut T)
clone_to_uninit
)